Monthly Archives: February 2012

Apache

[ANNOUNCEMENT] Apache HTTP Server 2.4.1 Released

Leave a comment 
              Apache HTTP Server 2.4.1 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the GA release of version 2.4.1 of the Apache HTTP
Server. This version of Apache HTTP Server is the first GA release of
the new 2.4.x branch.

Apache HTTP Server 2.4 provides a number of improvements and
enhancements over the 2.2 version. A listing and description of these
features is available via:

  http://httpd.apache.org/docs/2.4/new_features_2_4.html

Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes.

We consider this release to be the best version of Apache HTTP Server
available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.4.1 is available for download from:

  http://httpd.apache.org/download.cgi

This release requires the Apache Portable Runtime (APR) version 1.4.x
and APR-Util version 1.4.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and may require minimal source code changes.

  http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html

A summary of all of the security vulnerabilities addressed in this and
earlier releases is available:

  http://httpd.apache.org/security/vulnerabilities_24.html

Important:
Windows users: AcceptFilter None has replaced Win32DisableAcceptEx 
and the feature appears to have interoperability issues with mod_ssl.
Apache 2.4.1 may not yet be suitable for all Windows servers.  There 
is not yet a Windows binary distribution of httpd 2.4, but this is
expected to be remedied soon as various dependencies graduate from
beta to GA.
Drupal

SA-CORE-2012-001 – Drupal core multiple vulnerabilities

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2012-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2012-February-01
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities

Description

Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users’ information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected

  • Drupal 6.x core prior to 6.23.
  • Drupal 7.x core prior to 7.11.

Solution

Install the latest version:

  • If you use Drupal 6.x upgrade to 6.23
  • If you use Drupal 7.x upgrade to 7.11

See also the Drupal core project page.

Reported by

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
Drupal 6.x
Drupal 7.x